Question No: 331 – (Topic 4)

Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain.

You need to prevent the managed service accounts from being deleted accidentally from OU1.

Which cmdlet should you use?

Set-ADUser

Set-ADOrganizationalUnit

Set-ADServiceAccount

Set-ADObject

Answer: D Explanation:

You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.

-ProtectedFromAccidentalDeletion lt;Booleangt;Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include:

$false or 0

$true or 1

The following example shows how to set this parameter to true.

-ProtectedFromAccidentalDeletion $true

Question No: 332 DRAG DROP – (Topic 4)

Your company plans to open a new branch office.

The new office will have a low-speed connection to the Internet.

You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install the Active Directory on the new RODC.

Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Question No: 333 – (Topic 4)

A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server for fabrikam.com.

You install the DNS Server server role on a member server named DNS1 and then you create a standard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.

You need to ensure that DNS1 receives zone updates from DC4. What should you do?

Question No: 335 – (Topic 4)

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.

What should you do?

Create a new secondary zone named ad.contoso.com on DC2.

Create a new stub zone named ad.contoso.com on DC2.

Configure the DNS server on DC2 to forward requests to DC1.

Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Answer: D Explanation:

Three answers don#39;t make sense, leaving us with the one that works. Create a new secondary zone named ad.contoso.com on DC2.

This would create a read-only zone, so it couldn#39;t be updated Create a new stub zone named ad.contoso.com on DC2.

This stub zone would contain source information about authoritative name servers for its zone only, being DC1, but that one would be unavailable in the WAN link fails.

Configure the DNS server on DC2 to forward requests to DC1. This doesn#39;t help if the WAN link fails and DC1 is unavailable.

Question No: 336 – (Topic 4)

You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription.

You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1.

The subscription is configured to use the HTTP protocol.

You discover that events from the Security log of DC1 are not collected on Computer1. Events from the

Application log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1. What should you do?

Add the computer account of Computer1 to the Event Log Readers group on the domain controller.

Add the Network Service security principal to the Event Log Readers group on the domain.

Configure the subscription to use custom Event Delivery Optimization settings.

You can modify which default attributes are carried over to a newly copied user or specify additional attributes that will be copied to the new user. To do this, open the Active Directory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can modify or add only the attributes that are instances of the user class.

The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this

template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.

To configure a certificate template for key archival and recovery

Open the Certificate Templates snap-in.

In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.

In Template, type a new template display name, and then modify any other optional properties as needed.

On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.

Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box.

DC2 may be shipped to Site2, but it#39;s not yet associated properly with Site2 in Active Directory.

Reference1:

http://technet.microsoft.com/en-us/library/cc816674.aspx To move a server object to a new site

Open Active Directory Sites and Services.

In the console tree, expand Sites and the site in which the server object resides.

Expand Servers to display the domain controllers that are currently configured for that site.

Right-click the server object that you want to move, and then click Move.

In Site Name, click the destination site, and then click OK.

Expand the site object to which you moved the server, and then expand the Servers container.

Verify that an object for the server that you moved exists.

Expand the server object, and verify that an NTDS Settings object exists. Reference2:

http://technet.microsoft.com/en-us/library/cc754697.aspx Using sites

Sites help facilitate several activities, including: (…)

Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections.